Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

cognito user pool custom attribute in IAM Policy Conditions with Dynamodb Fine grained access

I have one Cognito User Pool with a custom attribute organisation_id. One Organisation may have multiple users. There can be multiple organisations. Another Dynamodb table is used to maintain Categories which has _id and organisation_id as partition key. Categories can be owned by Organisation so that users belong to that particular Organisation perform some operation in those categories only.

Now, how can I create the IAM policy so that it takes the organisation_id instead of sub/user_id as it is explained here
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/specifying-conditions.html

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowAccessToOnlyItemsMatchingUserID",
        "Effect": "Allow",
        "Action": [
            "dynamodb:GetItem",
            "dynamodb:BatchGetItem",
            "dynamodb:Query",
            "dynamodb:PutItem",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteItem",
            "dynamodb:BatchWriteItem"
        ],
        "Resource": [
            "arn:aws:dynamodb:us-west-2:123456789012:table/GameScores"
        ],
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito:organisation_id(?)}"

                ],
                "dynamodb:Attributes": [
                    "UserId",
                    "GameTitle",
                    "Wins",
                    "Losses",
                    "TopScore",
                    "TopScoreDateTime"
                ]
            },
            "StringEqualsIfExists": {
                "dynamodb:Select": "SPECIFIC_ATTRIBUTES"
            }
        }
    }
]}

So my main requirement is to get custom user pool attribute in IAM policy through cognito. How is that possible?

like image 553
Indrajit Dan Avatar asked Apr 20 '17 09:04

Indrajit Dan


People also ask

How do I change the attributes of an Amazon Cognito user pool after creation?

Short description. You can't change standard user pool attributes after a user pool is created. Instead, create a new user pool with the attributes that you want to require for user registration. Then, migrate existing users to the new user pool by using an AWS Lambda function as a user migration trigger.

Which techniques should you use to secure Amazon DynamoDB?

Encryption and tokenization are key to database security. Enabling encryption at rest ensures that you can only read the data stored within the DynamoDB database and DynamoDB table backups outside of the AWS account with AWS KMS encryption key permissions explicitly granted, in addition to DynamoDB table permissions.

Is Cognito user pool ID sensitive?

In summary "userPoolId" is your sensitive info and should not be exposed in your Client.

Which option allows you to assign the user pool to the API?

Answer: Instead of using the API Gateway console, you can also enable an Amazon Cognito user pool on a method by specifying an OpenAPI definition file and importing the API definition into API Gateway.


1 Answers

This is not possible. It would require IAM roles to be able to identify custom attributes from any cognito user pool. It's an interesting feature though, will discuss it with the team.

However, as an alternative you can look at Cognito identities and role base access control

http://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

like image 96
Vasileios Lekakis Avatar answered Sep 19 '22 09:09

Vasileios Lekakis